Top 10 lists

Customers need a ready-to-go productivity solution that is inherently secure and trustworthy. To help you determine
the security and trustworthiness of cloud productivity services and choose a cloud service provider that
meets your security expectations, we have identified the key privacy and security considerations that should
inform your decision.

Using these three top-ten lists can help you save time and make a more informed decision.

Show allHide all

Top questions you should ask a cloud service provider when you are considering the cloud for your IT services, and how Microsoft Office 365 answers these questions

1. Who owns the data we store in your service? Will you use our data to build advertising products?

As a customer of Office 365, you own and control your data. We do not use your data for
anything other than providing you with the service that you have subscribed for. As a service
provider, we do not scan your email or documents for advertising purposes. For more information,
please visit
How we use your data
in the Office 365 Trust Center.

2. Do you offer privacy controls in your service?

Privacy controls are enabled by default for all customers of the service and we allow you
to turn off and on privacy impacting features to meet the needs of your organization. We
contractually commit to robust privacy and security measures in the data processing terms
of your agreement.

3. Do we have visibility into where you store our data in the service?

We are transparent about where your data is located. For more information, please visit
Where is my data
in the Office 365 Trust Center.

4. What is your approach to security and which security features do you offer to protect your service from external attacks?

Security is one of the most important design principles and features of Office 365. Our
focus on security spans hardware, software, the physical security of our datacenters, policies
and controls, and verification by independent auditors.

When it comes to security features, there are broadly two types of categories: 1) built-in security and 2) customer controls.
Built-in security represents all the measures that Microsoft takes on behalf of all Office
365 customers to protect your information and run a highly available service. Customer controls
are features that enable you to customize Office 365 to meet the specific needs of your organization.
You can get details about both types of security features in the
Security section
of the Office 365 Trust Center.

5. Can we get our data out of your service?

You own your data and retain all rights, title, and interest in the data you store with
Office 365. During and for 90 days after your subscription, you can download a copy of all
of your data at any time and for any reason, without any assistance from Microsoft. For more
information, please visit
It's your data in the Office 365 Trust Center.

6. Will you inform us when things change in the service, and will you let us know if our data is compromised?

We do inform you if there are any important changes to the service with respect to security,
privacy, and compliance. We also promptly notify you if your data has been accessed improperly.

7. Are you transparent with the way you use and access our data?

We do share important aspects of data storage, such as where your data resides in terms
of geographic location, who at Microsoft can access it, and what we do with that information
internally. For more information, please visit the
Who can access
your data section of the Office 365 Trust Center.

Our position on access to your data is:
We always give you access to your customer data. Access to customer data is strictly controlled and logged, and sample audits are performed by both Microsoft and third parties to attest that access is only for appropriate business purposes. We recognize the extra importance of our customers' content. If someone such as Microsoft personnel, partners, or your own administrators access your content on the service, we can provide you with a report on that access upon request.

8. What kind of commitments do you have with respect to security and privacy?

On behalf of Office 365 we are willing to sign with each customer data processing terms,
a HIPAA business associate agreement, and EU model clauses. We also comply with standards
like ISO 27001, ISO 27018, FISMA, and FedRAMP. For more information, please visit the
Independently verified
section of the Office 365 Trust Center.

9. How do you ensure that your service is reliable?

We apply best practices in design and operations, such as redundancy, resiliency, distributed
services, and monitoring—to name a few. We recently started publishing our quarterly uptime
numbers for the service. For more information, please visit the
Transparent operations section of the Office 365 Trust Center.

10. What are your commitments regarding keeping my service up?

We offer 99.9% uptime via a financially backed service level agreement. If a customer experiences
monthly uptime that is less than 99.9%, we compensate that customer through service credits.

For more information and proof points about how Microsoft Office 365 provides assurance to customers about the questions
above, please visit the
Office 365 Trust Center.

2. We enable encryption of data both at rest and via the network as it is transmitted between a data center and a user.

3. We don't mine or access your data for advertising purposes.

4. We use customer data only to provide the service; we don't otherwise look in your mailbox without your permission.

5. We regularly back up your data.

6. We won't delete all the data in your account at the end of your service term until you have had time to take advantage
of the data portability that we offer.

7. We host your customer data in-region.

8. We enforce "hard" passwords to increase security of your data.

9. We allow you to turn off and on privacy impacting features to meet your needs.

10. We contractually commit to the promises made here with the data processing terms in your volume licensing agreement.
For more information, visit the
Independently verified section of the Office 365 Trust Center.

Top 10 compliance areas of Office 365

1. Health Insurance Portability and Accountability Act (HIPAA):

HIPAA imposes
on our customers that may be “covered entities" under the law security, privacy, and reporting
requirements regarding the processing of electronic protected health information. Microsoft
developed Office 365 to provide physical, administrative, and technical safeguards to help
our customers comply with HIPAA. We offer a
HIPAA Business Associate Agreement (BAA) to any customer. For more information
about the HIPAA BAA, visit the
HIPAA/HITECH FAQ.

2. Data processing terms:

We provide customers with additional contractual
assurances through our data processing terms regarding Microsoft handling and safeguarding
of customer data. By agreeing to these terms, we commit to over 40 specific security commitments
collected from regulations worldwide. The robust commitments in our data processing terms
are available to customers by default.

3. Federal Information Security Management Act (FISMA)

requires U.S. federal
agencies to develop, document, and implement controls to secure their information and information
systems. Federal Risk and Authorization Program (FedRAMP) is a federal risk
management program that provides a standardized approach for assessing and monitoring the
security of cloud products and services. The
FedRAMP/FISMA FAQ
describes how the Office 365 service follows security and privacy processes relating to FedRAMP/FISMA.

4. ISO 27001:

ISO 27001 is one of the best security benchmarks available in the world. Many products in Office 365 have been verified to meet the rigorous set of physical, logical, process and management controls defined by
ISO 27001:2013.
This also includes ISO 27018 Privacy controls in the most recent audit. Inclusion of these new ISO 27018 controls in the ISO assessment will further help Office 365 validate to customers the level of protection Office 365 provides to protect the privacy of customer
data.

5. European Union (EU) Model Clauses:

The EU Data Protection Directive,
a key instrument of EU privacy and human rights law, requires our customers in the EU to
legitimize the transfer of personal data outside of the EU. The EU model clauses are recognized
as a preferred method for legitimizing the transfer of personal data outside the EU for cloud
computing environments. Offering the EU model clauses involves investing and building the
operational controls and processes required to meet the exacting requirements of the EU model
clauses. Unless a cloud service provider is willing to agree to the EU model clauses, a customer
might lack confidence that it can comply with the EU Data Protection Directive's requirements
for the transfer of personal data from the EU to jurisdictions that do not provide “adequate
protection" for personal data. The
EU model clauses FAQ
describes the Microsoft regulator-endorsed approach for the EU model clauses.

6. ISO 27018:

Microsoft is the first major cloud service provider to be
independently verified as complying with ISO 27018, which establishes a uniform, international
approach to protecting the privacy of personal information stored in the cloud. Our compliance
with ISO 27018 means that we only process personal information in accordance with customer
instructions, we are transparent about what happens to customer data, we provide strong security
protections for personal information in our cloud, customer data will not be used for advertising,
and we inform customers about government access to their data.

7. Family Educational Rights and Privacy Act (FERPA):

FERPA imposes requirements
on U.S. educational organizations regarding the use or disclosure of student education records,
including email and attachments. Microsoft agrees to use and disclosure restrictions imposed
by FERPA that limit our use of student education records, including agreeing to not scan
emails or documents for advertising purposes.

Office 365 has been audited by independent third parties and can provide SSAE16 SOC 1 Type
I and Type II and SOC 2 Type II reports on how the service implements controls.

9. Gramm–Leach–Bliley Act (GLBA):

The Gramm–Leach–Bliley Act requires financial
institutions to put processes in place to protect their clients' nonpublic personal information.
GLBA enforces policies to protect information from foreseeable threats in security and data
integrity. Customers subject to GLBA can use Office 365 and comply with GLBA requirements.

10. Health Information Trust Alliance (HITRUST):

The Office 365 team, in
partnership with an independent assessor, has completed an assessment to evaluate our compliance
with HITRUST. Viewed as an important standard by U.S. healthcare organizations, HITRUST has
established the Common Security Framework (CSF), a certifiable framework that can be used
by any and all organizations that create, access, store or exchange personal health and financial
information.